FBI Driver's License Photo Searches Raise Privacy Questions

Facial-recognition software advances allow law enforcement and government agencies to match images of unknown suspects with government-issued ID photos.

Spy Tech: 10 CIA-Backed Investments

(click image for larger view and for slideshow)

When conducting investigations, the FBI can now compare images of unknown suspects with state-issued driver's license photographs, using facial-recognition software to find potential hits.

That revelation was made Monday by privacy rights groups Electronic Privacy Information Center (EPIC). "Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs," according to a statement released by the organization. "The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs."

According to EPIC, one use of this data would allow the FBI to create a "massive virtual line-up" of suspects in an investigation.

The FBI isn't alone in running biometric searches on driver's license data. According to the The Washington Post, 26 states -- including Texas, Massachusetts, Illinois and Florida -- have facial-recognition systems, and allow police to search that data or request searches against a combined 107 million photos. Meanwhile, 11 states have facial-recognition systems but generally don't allow law enforcement agencies to search their combined 38 million images. Finally, 13 states have amassed a combined 65 million photos, but don't have facial-recognition systems for searching driver's license photos.

[ Citizens are raising a lot of questions about how the government balances security and privacy. See NSA Prism: Readers Speak. ]

While the FBI has agreements with some states that allow the bureau to search their driver's license and non-driver ID photos, the bureau has also amassed about 15 million photographs of arrestees and people convicted of crimes. The State Department, meanwhile, has about 230 million photos relating to visas and passports, but has relatively tight controls on how that information can be accessed by law enforcement agencies. Finally, the Defense Department has a database of about 6 million photos, largely comprised of people in Afghanistan and Iraq, compiled by soldiers battling insurgents. In fact, the facial-recognition software used by most government agencies, developed by Boston-based private contractor MorphoTrust USA, which is owned by France-based Safran, was created to help soldiers in the field positively identify insurgents.

Running facial recognition searches has long been the stuff of cop shows: A grainy still image captured from a CCTV camera is compared, using software, with a database of driver's license or other official government ID photos, until a sudden high-probability "hit" is made, helping investigators chase down a suspect and crack their case.

While facial-recognition-search payoffs are common on NCIS, in real life, the software carries caveats, with the Post noting that one image of a middle-aged white man might return a match with a 20-something African-American woman who has similarly shaped eyes or lips.

Still, advances in software are making large-scale facial recognition searches more feasible. But that raises privacy questions: Who should be allowed to run these facial recognition searches, and what privacy controls or oversight should be in place?

One fear is that authorities might amass a facial recognition database on par with national registers of fingerprint data, and increasingly, DNA data. Accordingly, EPIC said that it's currently "suing the FBI to learn more about its development of a vast biometric identification database," referring to the bureau's Next Generation Identification program, which EPIC said will aggregate information about "fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs and other identifying information."

The privacy rights group has warned that large-scale biometric databases could, for example, be used by law enforcement agencies to automatically catalog the identity of everyone participating in a peaceful -- and legal -- political demonstration.

"The potential for abuse of this technology is such that we have to make sure we put in place the right safeguards to prevent misuse," said Sen. Al Franken (D-Minn.), in a statement. "We also need to make sure the government is as transparent as possible in order to give the American people confidence it's using this technology appropriately."

In the case of the FBI, facial recognition is provided by -- and full access to the underlying data restricted to -- the bureau's Facial Analysis Comparison and Evaluation (FACE) services unit, which is part of the bureau's criminal justice information services division, and which is staffed by highly trained biometric images specialists.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.